Features of HIPAA Hosting
HIPAA plans are not much different than other hosting plans but include extra features such as data encryption, firewalls, managed hosting services, intrusion detection systems, and use of special security tools. You will still get the standard features of hosting plans available all over the web. Also, just like any other hosting plan, HIPAA hosting plans feature similar user interfaces for website administration such as cPanel or Plesk. Standard plans for HIPAA hosting that are available include cloud based plans, VPS, and dedicated server hosting.
Unlike other hosting plans, however, a web hosting company that is HIPAA compliant, would be independently and regularly audited. Many organizations go above and beyond HIPAA compliance and are certified as SOC 1, SOC 2, and SSAE compliant as well as being audited for HITECH compliance.
What’s more, your HIPAA host must be extremely responsive. Though many hosting providers offer 24/7 support every day of the year, this is not sufficient. The HIPAA hosting provider you select should have guaranteed response times. They should report any security incidents including data breaches and hacking attempts in a timely fashion.
A HIPAA hosting company should have security features that involve multiple aspects which include restricting physical access to the data servers. This includes monitoring the actual physical location and only allowing authorized personnel access. Another must-have should be the use of encryption even though, according to HealthITSecurity
, encryption is not required according to HIPAA. Finally, the hosting provider should make use of firewalls, intrusion detection and prevention systems, and have staff members that understand HIPAA.
At a minimum, your HIPAA hosting provider should be HIPAA certified. However, you should really consider a hosting company that goes above and beyond this with compliance and certifications in multiple areas including HITECH
, and SOC 1 and SOC 2
This is about liability; getting HIPAA hosting provides some amount of insurance. That doesn’t mean that you don’t still have to take great care with patient data. But having HIPAA hosting reduces your risk.
According to web hosting provider Online Tech
, the HIPAA rule has been modified to classify any hosting entity dealing with patient health data as an associate. As a result, they will be subject to HIPAA-based requirements and thus be liable for patient data breaches. In fact, the law firm, Davis Wright Tremaine
, encourages third-party vendors to take extra precautions with data providers.
HIPAA Hosting Isn’t Cheap
Since HIPAA compliance requires extra security requirements and monitoring, these plans tend to be more expensive compared to a standard hosting plan. Prices vary depending on the type of plan but you can easily pay few hundred dollars a month for a plan. But, this is well worth the expense considering the fines and potential liabilities for non-compliance, in some cases totaling millions of dollars for breach of patient data.
When you need HIPAA hosting, you need to consider companies with specialized infrastructure and staff to take care of HIPAA compliance. Some of these companies include Liquid Web
and Amazon Web Services
. But check all the hosts listed at the top of this page.
HIPAA Frequently Asked Questions
What is HIPAA?
HIPAA or the Health Insurance Portability and Accountability Act is a law established by the US government to protect individual health records from falling into the wrong hands.
The regulations related to HIPAA ultimately decide how health records are stored, who has access, and how they can be disseminated.
Does HIPAA apply to electronic records?
Though HIPAA was created when paper records were the norm, the act still applies to electronic records. This includes hosting services, storage services, and even computer or mobile phone applications.
How are HIPAA regulations enforced?
HIPAA regulations are enforced through Health and Human Services which begins enforcement and thorough investigation once the department receives a complaint.
How do I know if I need HIPAA hosting?
Since this is a legal matter, make sure to consult a legal professional for more information.
However, if you are developing a medical application on any platform that accesses patient data over the web or needs to store patient data on servers accessible from the internet, you need HIPAA based hosting.
What are the consequences of failing to meet regulations?
Companies that fail to meet HIPAA regulations are not only subject to fines from the government, they can also be subject to lawsuits. In one case, a hospital got fined millions of dollars as a result of breach of patient data.
So, for your hosting needs, it is very important to choose a well-reputed HIPAA host especially for applications that deal with patient data.
What are some advantages to using a HIPAA based host?
Having a HIPAA host will not only save you time but also money in terms of implementing a solution that is compliant with HIPAA and taking steps to safeguard patient data.
Using a HIPAA host allows you to outsource these tasks and focus your efforts on application development instead of compliance. It also reduces your legal risk and helps you build trust with clients in the medical community.
Is HIPAA-based hosting expensive?
Since web hosts that specialize in HIPAA need to take extra steps in safeguarding data, meeting regulations, and undergoing audits, the plans provided by these hosts tend to be more expensive than standard hosting plans.
In general, plans can cost hundreds of dollars a month. But, it is worth the cost especially considering legal liabilities when patient data is breached.
What types of certifications should a HIPAA based hosting company have?
Since HIPAA just covers the basics in terms of data protection, many hosting companies go above and beyond being HIPAA certified.
Other certifications a host may have include SOC 1, SOC 2, SSAE, and HITECH. As time goes by, newer certifications may be added as a result of developments in the security industry.
How do I know if my host is really HIPAA compliant?
Most hosting companies cannot just say they are HIPAA compliant since they would incur a huge legal liability. However, you should look for a host that uses HIPAA compliant datacenters.
In fact, according to Mike Klein, the hosting company’s datacenter or the company itself should be able to provide a HROC or HIPAA Report on Compliance to you outright or under an NDA (non-disclosure agreement).
What extra features does a HIPAA-based hosting company have?
HIPAA-based hosting companies have all the features a standard hosting plans has plus additional security features.
These features include intrusion detection, intrusion prevention, firewalls, data encryption, and managed hosting as well as the use of special security tools.
What type of support should I get from a HIPAA hosting company?
Your HIPAA hosting provider should not just offer 24/7 support.
They should have guaranteed response times and provide multiple avenues of support including phone, live chat, support tickets, and email. The host should also report all security incidents immediately.
Whether or not your host provides this information, consider speaking to company personnel about support options before purchasing a hosting plan.
What are some qualities that a HIPAA host’s staffing should have?
When looking for a HIPAA hosting company, you should take a serious look at the employees who work there.
Find out if the company performs background checks on employees, the types of background checks, and whether or not there are employees who actually understand and have worked with HIPAA.
About Brian Wu
Brian specializes in technology and medicine. This isn't surprising given he now has a PhD in integrative biology and disease and an MD with a focus on holistic treatment. In the past, he's been an actor. Brian lives in southern California.